Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Eccouncil Exam 212-82 Topic 17 Question 32 Discussion

Actual exam question for Eccouncil's 212-82 exam
Question #: 32
Topic #: 17
[All 212-82 Questions]

The SOC department in a multinational organization has collected logs of a security event as

"Windows.events.evtx". Study the Audit Failure logs in the event log file located in the Documents folder of the

-Attacker Maehine-1" and determine the IP address of the attacker. (Note: The event ID of Audit failure logs is

4625.)

(Practical Question)

Show Suggested Answer Hide Answer
Suggested Answer: C

The IP address of the attacker is 10.10.1.16. This can be verified by analyzing the Windows.events.evtx file using a tool such as Event Viewer or Log Parser. The file contains several Audit Failure logs with event ID 4625, which indicate failed logon attempts to the system. The logs show that the source network address of the failed logon attempts is 10.10.1.16, which is the IP address of the attacker3. The screenshot below shows an example of viewing one of the logs using Event Viewer4: Reference: Audit Failure Log, [Windows.events.evtx], [Screenshot of Event Viewer showing Audit Failure log]


Contribute your Thoughts:

Pete
4 months ago
Let's hope the attacker wasn't using a VPN or proxy to hide their real IP address. That would make this question a bit trickier.
upvoted 0 times
...
Lonna
4 months ago
I wonder if the attacker was trying to access the 'Windows.events.evtx' file to cover their tracks. That would be a nice touch of irony.
upvoted 0 times
Dahlia
3 months ago
B) 10.10.1.10
upvoted 0 times
...
Kara
3 months ago
I think the attacker's IP address is 10.10.1.12.
upvoted 0 times
...
Nickolas
4 months ago
A) 10.10.1.12
upvoted 0 times
...
...
Chandra
4 months ago
This seems like a straightforward question, but you never know with these cybersecurity exams. Better double-check those logs carefully!
upvoted 0 times
Belen
3 months ago
D) 10.10.1.19
upvoted 0 times
...
Kimbery
3 months ago
I believe it's C) 10.10.1.16, let's confirm
upvoted 0 times
...
Lashanda
3 months ago
C) 10.10.1.16
upvoted 0 times
...
Antonio
3 months ago
No, it's not B) 10.10.1.10, let's keep looking
upvoted 0 times
...
Lynsey
3 months ago
B) 10.10.1.10
upvoted 0 times
...
Catalina
4 months ago
I think it might be A) 10.10.1.12, but let's verify
upvoted 0 times
...
Clarence
4 months ago
A) 10.10.1.12
upvoted 0 times
...
...
Jeannetta
5 months ago
Ah, the classic 'find the attacker's IP' question. I bet it's one of those tricky answers where the IP is hidden in plain sight.
upvoted 0 times
Otis
3 months ago
C) 10.10.1.16
upvoted 0 times
...
Catherin
3 months ago
B) 10.10.1.10
upvoted 0 times
...
Shawn
3 months ago
A) 10.10.1.12
upvoted 0 times
...
Dannie
3 months ago
D) 10.10.1.19
upvoted 0 times
...
Shalon
4 months ago
C) 10.10.1.16
upvoted 0 times
...
Aileen
4 months ago
B) 10.10.1.10
upvoted 0 times
...
Tamala
4 months ago
A) 10.10.1.12
upvoted 0 times
...
...
Shanda
5 months ago
I'm not sure, but I think D) 10.10.1.19 could also be a possibility
upvoted 0 times
...
Irene
5 months ago
I'm pretty sure the IP address of the attacker will be in one of those logs. This is a good way to identify the culprit.
upvoted 0 times
Jeff
4 months ago
B) 10.10.1.10
upvoted 0 times
...
Golda
4 months ago
I think it might be A) 10.10.1.12
upvoted 0 times
...
Lawana
4 months ago
A) 10.10.1.12
upvoted 0 times
...
...
Loren
5 months ago
I'm leaning towards C) 10.10.1.16, based on the event ID provided
upvoted 0 times
...
Jenise
5 months ago
I disagree, I believe the correct answer is B) 10.10.1.10
upvoted 0 times
...
Janet
5 months ago
I think the answer is A) 10.10.1.12
upvoted 0 times
...
Jillian
6 months ago
The event logs in the 'Attacker Machine-1' should have the IP address of the attacker. Let's see if we can find it in the Audit Failure logs with event ID 4625.
upvoted 0 times
Kanisha
5 months ago
B) 10.10.1.10
upvoted 0 times
...
Rueben
5 months ago
I think it might be A) 10.10.1.12
upvoted 0 times
...
Ernest
5 months ago
A) 10.10.1.12
upvoted 0 times
...
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77